CVE-2026-33033

MEDIUM

Django < 6.0.4, 5.2.13, 4.2.30 - MultiPartParser Base64 Upload Denial of Service

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-33033. PoCs published by adminlove520, ch4n3-yoon.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-33033, a denial-of-service vulnerability in Django's `MultiPartParser` caused by excessive CPU usage during base64-encoded file uploads with whitespace. The exploit demonstrates a ~2,100x CPU amplification factor, tying up Django workers for extended periods.

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33033

This repository contains a functional exploit for CVE-2026-33033, a denial-of-service vulnerability in Django's `MultiPartParser` caused by excessive CPU usage during base64-encoded file uploads with whitespace. The exploit demonstrates a ~2,100x CPU amplification factor, tying up Django workers for extended periods.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Django (versions <= 6.0.3, <= 5.2.11, <= 5.1.x, <= 5.0.14, <= 4.2.28)
No auth needed
Prerequisites: A Django server with a file upload endpoint · Network access to the target server
devstral-2 · analyzed May 05, 2026 Full analysis →
nomisec WORKING POC
by ch4n3-yoon · poc
https://github.com/ch4n3-yoon/CVE-2026-33033-PoC

This repository contains a functional exploit PoC for CVE-2026-33033, a DoS vulnerability in Django's `MultiPartParser` caused by excessive CPU amplification during base64-encoded file uploads with whitespace. The exploit demonstrates how a 2.5 MB request can tie up a Django worker for ~5 seconds due to inefficient byte-by-byte processing.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Django (versions <= 6.0.3, <= 5.2.11, <= 5.1.x, <= 5.0.14, <= 4.2.28)
No auth needed
Prerequisites: A Django server with a file upload endpoint · Network access to the target server
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory vendor-advisory
Django security archive
https://docs.djangoproject.com/en/dev/releases/security/
Mailing List mailing-list
Django releases announcements
https://groups.google.com/g/django-announce
Vendor Advisory vendor-advisory
Django security releases issued: 6.0.4, 5.2.13, and 4.2.30
https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Scores

CVSS v3 6.5
EPSS 0.0005
EPSS Percentile 15.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-407
Status published
Products (10)
djangoproject/Django 4.2 - 4.2.30
djangoproject/django 4.2 - 4.2.30
djangoproject/Django 4.2.30
djangoproject/Django 5.2 - 5.2.13
djangoproject/Django 5.2.13
djangoproject/Django 6.0 - 6.0.4
djangoproject/Django 6.0.4
pypi/Django 4.2 - 4.2.30PyPI
pypi/Django 5.2 - 5.2.13PyPI
pypi/Django 6.0 - 6.0.4PyPI
Published Apr 07, 2026
Tracked Since Apr 07, 2026